Frog CMS - Security Bug in /frog/index.php

Security Bug in /frog/index.php

1 posts, 2 voices

Aug 22, 2008 13:57 Ir0n1E 1 posts	hi there, i think it is not a good idea to share the sql login data with the whole world. if the sql database down is the error message looks like this: >Fatal error: Uncaught exception 'PDOException' with message >'SQLSTATE[HY000] [2002] Can't connect to local MySQL server >through socket '/var/run/mysqld/mysqld.sock' (2)' in >/var/www/localhost/htdocs/frog/index.php:41 Stack trace: #0 >/var/www/localhost/htdocs/frog/index.php(41): >PDO->__construct('mysql:dbname=xx...', 'USER', 'PASS') #1 >{main} thrown in /var/www/localhost/htdocs/frog/index.php on line 41 the error message shows the data in plain text. i have made a patch to prevent this bug. new error message looks like this: >Connection failed: SQLSTATE[HY000] [2002] Can't connect to local >MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) here is the patch frog_index.php-security_patch.tar.bz2 content: index.php new index.php_security.patch ChangeLog

Aug 22, 2008 18:22 mvdkleijn 458 posts	Thanks for the patch... I've released a security patch for this issue.